analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Request for Quote (RFQ) No. 6654-SOSi.eml

Full analysis: https://app.any.run/tasks/5320ae3a-0eae-4680-aacc-f45302d08660
Verdict: Malicious activity
Analysis date: December 06, 2018, 10:09:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: message/rfc822
File info: SMTP mail, ASCII text
MD5:

2C893E97CA92CEA617A1743B5A188217

SHA1:

F42FC3C1CA7B60B42899A71BFEAAAE7367681648

SHA256:

63395420E6C6BAD3A9F79116FEE0D1B86F8B52DAA4B76F93AEF2732436DDBEBE

SSDEEP:

6144:NkM0HPIGY+Ms3d6SVuUe1X/+FXcuD62zfPD7DFl0mzpk4XgD+Mpx:uvIGzB3o2uzWFXd62zXD7kyk4QD1px

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Suspicious connection from the Equation Editor

      • EQNEDT32.EXE (PID: 3804)

  • SUSPICIOUS

    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 2864)
      • EQNEDT32.EXE (PID: 3804)

    • Starts Microsoft Office Application

      • WINWORD.EXE (PID: 2580)
      • OUTLOOK.EXE (PID: 2864)

    • Application launched itself

      • WINWORD.EXE (PID: 2580)

    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 2864)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 2580)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 2824)
      • WINWORD.EXE (PID: 2580)
      • OUTLOOK.EXE (PID: 2864)
      • WINWORD.EXE (PID: 2152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.eml | E-Mail message (Var. 1) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start outlook.exe winword.exe no specs winword.exe no specs winword.exe no specs eqnedt32.exe

Process information

PID
CMD
Path
Indicators
Parent process
2864"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\Request for Quote (RFQ) No. 6654-SOSi.eml"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
2824"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Version:
14.0.6024.1000
2580"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WFYBA366\Pricing Template - 6654.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
2152"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\WINWORD.EXEWINWORD.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Word
Version:
14.0.6024.1000
3804"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -EmbeddingC:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
svchost.exe
User:
admin
Company:
Design Science, Inc.
Integrity Level:
MEDIUM
Description:
Microsoft Equation Editor
Version:
00110900
Total events
2 842
Read events
2 372
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
28
Unknown types
2

Dropped files

PID
Process
Filename
Type
2864OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\CVR9570.tmp.cvr
MD5:
SHA256:
2864OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\tmp9774.tmp
MD5:
SHA256:
2864OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WFYBA366\Pricing Template - 6654 (2).doc\:Zone.Identifier:$DATA
MD5:
SHA256:
2580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVR4807.tmp.cvr
MD5:
SHA256:
2864OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\OICE_CFD4BD2C-D930-4667-88E7-FC3D77851E90.0\BE328396.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
2580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_BC836785-F13D-469D-A8B5-BFF75FBF36CB.0\E01E0C9.doc\:Zone.Identifier:$DATA
MD5:
SHA256:
2864OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmpgc
MD5:89FFC7CFC68DE9A85B22D622AEFEC30A
SHA256:E3FCC7F1C12D962062451EC29A0A55EFF7CFEC69524AB1527DC15131B8DADA4E
2580WINWORD.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotmpgc
MD5:A34D01D293B62E367D0CD35AB500236A
SHA256:FBEF171FD40DC6192C08D963F36550B87774DFC9D840BDB10385EACF87BE0A35
2864OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\WFYBA366\Pricing Template - 6654.doctext
MD5:6F764AFEE5C868E0B4E60AD5C848224D
SHA256:E327748B7BDDE7DC3967E2617A5A357ACA6B0C194B0856FA505E6A601C4AC186
2580WINWORD.EXEC:\Users\admin\AppData\Local\Temp\OICE_BC836785-F13D-469D-A8B5-BFF75FBF36CB.0\E01E0C9.doctext
MD5:6F764AFEE5C868E0B4E60AD5C848224D
SHA256:E327748B7BDDE7DC3967E2617A5A357ACA6B0C194B0856FA505E6A601C4AC186
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2864
OUTLOOK.EXE
GET
404
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
xml
345 b
whitelisted
3804
EQNEDT32.EXE
GET
404
67.199.248.10:80
http://bit.ly/2zxTNE5
US
xml
345 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3804
EQNEDT32.EXE
67.199.248.10:80
bit.ly
Bitly Inc
US
shared
2864
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
config.messenger.msn.com
  • 64.4.26.155
whitelisted
bit.ly
  • 67.199.248.10
  • 67.199.248.11
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Request for Quote (RFQ) No. 6654-SOSi.eml